GDPR Compliance

GDPR Compliance

Team Polyrific

You may have heard about the term GDPR Compliance and may be wondering what this is all about.

The General Data Protection Regulation (GDPR) is a regulation for the European Union and the European Economic Area, explicitly created for data protection and privacy and transferring data belonging to
European citizens outside of these designated areas.

                What does that mean for your business and its operations?

                If you process personal information for European Union citizens or offer goods and services to this region's citizens, this regulation applies to you, regardless of your current location.

                Some of the necessary items for GDPR are:

  • Data withheld by the business must be lawful, fair, and transparent.
  • Data must be collected and processed for the intended purpose and done so lawfully.
  • The minimal possible amount of data should be collected for the intended purpose.
  • Data collected must be accurate and always kept up to date.
  • The collected data should only be kept for the required amount of time for the process.
  • Data must follow the CIA Triad security model; it must be kept Confidential, Integral, and Available always.
  • The business should be able to account for the data withheld and comply with all of the principles of GDPR.

While these are the essential items to follow as a business through any of the involved processes, there are additional rights that the European citizens hold:

  • The user has the right to be informed about the information withheld by the business.
  • The user has the right to access the information withheld by the business.
  • The user has the right to rectify any information withheld by the business.
  • The user has the right to request deletion of data withheld by the business.
  • The user has the right to restrict data processing by the business.
  • The user has the right to request the transfer of data withheld by the business.
  • The user has the right to object to any processes or methods for data processing of the business.
  • The user has the right to influence and query automated processes and profiling involving its data.

A final consideration regarding all of these items, both on GDPR and the European Citizens' rights, indicates that all of these processes must be transparent. Evidence must be delivered to the end-user on
how these were achieved.

For additional guidance, here is a short sheet on how to comply with GDPR with additional pointers for each item mentioned in this article.

Team Polyrific | Aug 16, 2021

The CCPA is making a change in the United States and consumers' rights, giving California residents power on how their personal information (PI) can be used.

                The California Consumer Privacy Act (CCPA) came into effect on January 1st, 2020.
This law has principles that indicate when a business must become compliant [Note: It does not matter what size or industry the company is related to, the governance is controlled by the following items]:

  • The business, be it a
    subsidiary or a parent company, collects information about residents inside the
    state of California.
  • CCPA defines a resident of California as:
    • A person in California for other than a temporary or transitionary purpose
    • A person domiciliated in California but is outside of the state for temporary or transitionary purposes
  • The business, be it a subsidiary or a parent company, exceeds one of the following thresholds:
    • Annual gross revenues that exceed 25 million USD
    • Obtain personal information (PI) of more than 50,000 California residents, households, and/or devices per year
    • At least 50% of their annual revenue is generated from selling California residents’ personal information (PI)

Having said this, the personal information (PI) of a California resident has the following considerations:

  • Information that relates, describes, could be associated, or could be reasonably be linked to a consumer or household in California
  • Personal Information is defined as:
    • Name
    • Email addresses
    • Biometric data
    • IP addresses
    • Internet of Things data
    • Geolocation data
    • Employment data
    • Any data that could be linked
      or related to a resident of California

A business must then comply with the CCPA by building a privacy policy that contains at least the following items:

  • Identify what information is collected and processed
  • Purpose of collecting and processing the information
  • How this information is collected and processed
  • Methods through with a California resident can request the following actions:
    • Access their Personal
      Information (PI)
    • Change their Personal
      Information (PI)
    • Move their Personal Information
    • Delete their Personal
      Information (PI)
  • Methods used to identify and confirm the identity of the person submitting the request
  • What information from California residents is sold and how these users can opt-out from having their data sold out [Note: You are not forbidden from selling the information, but an option must be given to opt-out]

Need help with CCPA and making your business and your applications compliant with this law? You can contact us through the form below, and we will get back to you to assist in this process.